lecture21

advertisement
CMPT 371
Data Communications and Networking
Network Layer
NAT, IPv6
0
© Janice Regan, CMPT 128, 2007-2012
Private networks
 Recall that several blocks of addresses are
reserved for local addresses
 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
 These addresses can be utilized by using
network address translation (NAT)
© Janice Regan, 2007-2012
1
IPv4 local addresses
 A local network may use local addresses taken from the
blocks on the previous slide
 These addresses are non-routable addresses and may
be used on within the local network


These addresses are not considered valid addresses on the
Internet
These addresses are valid only within the local network
 To communicate with the internet one or more routable
addresses are needed
 Network address translation must occur on the router
connecting the local network to the internet
© Janice Regan, 2007-2012
2
Types of NAT implementation
 Static NAT
 Dynamic NAT
 Overloaded NAT
(NAPT network address port translation)
3
© Janice Regan, 2007-2012
Static NAT
192.168.3.1
24.16.47.23
192.168.3.2
192.168.3.3
192.168.3.4
24.16.33.47
NAT
router
192.168.3.5
24.16.33.49
192.168.3.7
192.168.3.6
Private network
internet
24.16.77.12
4
© Janice Regan, 2007-2012
Static NAT
 Some machines on the internal network need internet
access (192.168.3.3, 192.168.3.6)
 There are several globally valid internet addresses
available to the router connected to the local network
(24.16.33.47, 24.16.33.49)
 Each of the hosts that need internet access are
permanently allocated one of the available globally valid
internet addresses


192.168.3.3 ↔ 24.16.33.47
192.168.3.6 ↔ 24.16.33.49
 All other hosts have no connectivity to the internet
5
© Janice Regan, 2007-2012
Packet transmission through a static NAT (1)
 When 192.168.3.3 sends a packet to
24.16.47.23 it is received by the NAT router
 The sending host is unaware of the NAT.
 The NAT replaces the local source address
192.168.3.3 with the corresponding globally
valid address 24.16.47.23, recalculates the
TCP or UDP checksum if necessary (if packet is
TCP or UDP) then forwards the packet toward
the destination.
© Janice Regan, 2007-2012
6
Packet transmission through a static NAT (2)
 The destination host sees the NAT’s
replacement address, 24.16.47.23, as the IP of
the source and sends its reply to that IP address
 The NAT receives the reply
 Removes the destination address (its own
address) from the packet
 Replaces the destination address with the
corresponding internal address, 192.168.3.3
 For UDP or TCP packets recalculates the
checksum
 Forwards the packet to the internal source
© Janice Regan, 2007-2012
7
Dynamic NAT
 Establishes a 1-1 relationship between non-
routable internal addresses and the globally
valid IP addresses assigned to the NAT.
 The non routable address bound to each
globally valid address may change over time as
communications are initiated and completed
8
© Janice Regan, 2007-2012
Dynamic NAT operation
 Similar to Static NAT except
 Pool of available globally valid IP addresses
 Each time an internal host begins
communication with the internet the first
packet destined for the internet will reach the
NAT enabled router


The NAT enabled router will take the next
available globally valid IP address from the pool
and assign it to the internal host
When communications is complete address will
be replaced into the pool
© Janice Regan, 2007-2012
9
NAPT (network address port translation)
 NAT overloading or NAPT
 Again, the local network uses locally valid non-routable





IP addresses (not globally valid)
In this configuration the NAT allows more than one local
host to use the same globally valid internet address
The NAT has one or more globally valid IP addresses
Communications with different hosts are differentiated
by using different port numbers (transport layer)
This is not a use of port numbers that is consistent with
the layered design of the protocol stack, port numbers
are not part of the network layer addresses, ports are
designed for end to end communications not to be
changed at each intermediate station
Using ports in this way also causes other problems
10
© Janice Regan, 2007-2012
Overloaded NAT
192.168.3.1
24.16.47.23:
192.168.3.2
192.168.3.3
192.168.3.4
24.16.33.47
NAT
router
192.168.3.5
24.16.33.49
192.168.3.7
192.168.3.6
Private network
internet
24.16.77.12
11
© Janice Regan, 2007-2012
Overloaded NAT Example
Source Computer
Source Port
NAT IP
NAT port
192.168.3.1
1350
24.16.33.47
1200
192.168.3.2
1352
24.16.33.47
1201
192.168.3.3
1400
24.16.33.47
1202
192.168.3.4
1450
24.16.33.49
1200
192.168.3.5
555
24.16.33.49
1201
192.168.3.6
1666
24.16.33.47
1203
© Janice Regan, 2007-2012
12
NATP example (1)
 A host on the local network, say 192.168.3.5, sends a




packet to an external host, 24.16.47.23 through port
555
The NAT enabled router receives the packet from the
local host 192.168.3.5
The NAT enabled router stores the source IP and port
number in its address translation table
The NAT enabled router replaces the IP and port
number in the packet with those it stores in the address
translation table for this connection (for this example
24.16.33.49 and 1201)
The NAT enabled router recalculates the UDP or TCP
checksum (for UDP and TCP packets) before
forwarding the packet to the destination
13
© Janice Regan, 2007-2012
NATP example (2)
 When the destination receives the packet it will appear to




have come from the NAT (24.16.33.49).
Any responses will be sent to 24.16.33.49, and thus be
received by the NAT router
The NAT router will check the destination port in the
response packet
By referring to the address translation table the NAT router
will find the local non-routable address and port that
corresponds.
The NAT router will replace the destination port and IP
address with the local non-routable address and the
corresponding port, recalculate the checksums as needed,
and forward the packet to the original source host
14
© Janice Regan, 2007-2012
Problems with NAPT
 Although NAPT is the most commonly used form of NAT
it causes some serious difficulties



The most common encryption and authentication mechanisms
used in the IP layer do not function when NAPT is used. It
requires yet more serious violations of design principles to patch
these problems (only some can be patched)
Servers that require connection to a particular port can only be
run on one machine (the one that is using that port in the NAPT
mapping).
P2P applications require servers run on each peer, therefore
P2P applications will break unless extraordinary measures are
taken. (connection reversal: connect to a machine outside local
net directly, P2P connection goes through that machine, breaks
security)
15
© Janice Regan, 2007-2012
Change IP, other solutions?
 Address space exhaustion (temporary solution CIDR)



Two level addressing (network and host) results in many unused
addresses. Addresses committed even if not used or potentially used
for growth of network.
Growth of networks and the Internet
Extended use of TCP/IP
 Lack of security and authentication

Temporary solution: IPsec retrofit to IPv4
 Requirements for new types of service


temporary solution: differential services replaces TOS
Not able to guarantee real-time transmission of services like video or
audio
16
© Janice Regan, 2007-2012
Improvements in IPv6 (1)
 Expanded address space: 128 bit addresses
 Improved option mechanism: Additional separate
optional headers between IPv6 header and transport
layer header. Fixed length (40 byte) primary header
 Most additional headers are not examined by
intermediate routers, improving processing speed at
intermediate routers and simplifying router
processing.
 It is easier to add options by adding more
intermediate headers
 Address autoconfiguration: Allows dynamic
assignment of addresses
17
© Janice Regan, 2007-2012
IPv6 Improvements (2)
 Increased addressing flexibility:


Anycast - delivered to one of a set of nodes
Improved scalability of multicast addresses
 Support for resource allocation:



Labeling of packets to particular traffic flow
Allows special handling (e.g. Support real time streams for
applications such as video )
Replaces type of service
 New version of ICMP ICMPv6 (RFC 2463)

Functionality of ICMPv4 and ARP (RFC 2461) in neighbor
discovery, and IGMP (RFC 2710 3810) in the multicast listener
discoverer, all combined in one protocol
© Janice Regan, 2007-2012
18
IPv6 packet Structure
IPv6
Hop by Hop
header
header
header
Authentication
Encapsulating
Security
header
Destination
Options
Transport
header
header
header
© Janice Regan, 2007-2012
Destination
options
Routing
Fragment
header
header
DATA
19
IP v6 Header
Figure
33.2 Comer
(2000)
© Janice
Regan,
2007-2012
20
IP v6 Header Fields (1)
 Version (4 bits): 6
 Traffic Class (8 bits): Experimental: indicates class or
priority of packet. Still undefined, provides way for
application to experiment with class
 Flow Label (20 bits): Experimental: Indicates that
packet belongs to a specific sequence of packets that
can be reference by flow number. Used by hosts
requesting special handling of such a sequence of
packets. Multiple sequences can flow between the
same hosts, each packet in a sequence must have
identical Hop by Hop and routing headers and IPv6
addresses.
© Janice Regan, 2007-2012
21
IP v6 Header Fields (2)
 Payload length (16 bits): Includes all extension




headers plus user data.
Next Header (8 bits): Indicates the type of the
first extension header or in the absence of
extension headers the protocol for the next layer
up (same as for IPv4).
Hop Limit (16 bits): maximum number of
allowed hops (0-255). When number is exceeded
ICMPv6 Time Exceeded message is sent
Source Address (128 bits)
Destination address (128 bits)
© Janice Regan, 2007-2012
22
IPv6 Addresses (1)

128 bits long represented as a hexadecimal number separated by
colons.
 Divided into 8 16 bit blocks each represented by 4 hexadecimal
digits.


Leading zeros can be omitted, but one zero remains if all 4
hexadecimal digits are zero.


1080:0:0:0:8:8A0:200C:417A
One string of single colon separated zeros can be abbreviated
to a :: (Not more than one)


1080:0000:0000:0000:0008:08A0:200C:417A
1080::0008:08A0:200C:417A
Uses prefixes: same as CIDR like notation e.g.
21DA:D3:0:2F3B::/64 to denote the network prefix (network
address of length 64 is 21DA:D3:0:2F3B)
© Janice Regan, 2007-2012
23
IPv6 Addressing
 Three types of address

Unicast to a single interface
 Multicast to a set of interfaces




Delivered to all interfaces identified
Interfaces may be on different network segments
Broadcast is treated as a special case of multicast
Anycast



Set of interfaces (typically different nodes)
Delivered to any one of set (nearest) interface
Allocated from aggregable global unicast addresses
© Janice Regan, 2007-2012
24
IPv6 Fragmentation
 Fragmentation only allowed at source
 No fragmentation at intermediate routers
 Node must perform path discovery to find
smallest maximum transmission unit (MTU) of
intermediate networks or use minimum MTU
size of 1280 octets
 Source fragments to match MTU
 Fragmentation algorithm is the same as IPv6
 Reduces load at intermediate hosts/routers
© Janice Regan, 2007-2012
25
Transition IPv4 to IPv6 (1)
 During transitions IPv6 hosts will retain a IPv4
protocol stack to use for communication with
iPv4 networks. (dual stack approach)
IPv6
IPv6
IPv4
IPv4
Y
A
B
C
IPv6
IPv6
D
E
 Host A and Host D are both IPv6 enabled but
are communicating using IPv4. Want them to
use more efficient IPv6
© Janice Regan, 2007-2012
26
Transition IPv4 to IPv6
 When IPv6 hosts communicate through an IPv4 network
the IPv6 packets should be encapsulated in IPv4
packets an sent through a tunnel
IPv6
IPv4
IPv6
IPv4
IPv6
IPv6
Tunnel
IPv6 packet inside IPv4 packet
IPv4 header
IPv6 header
IPv6 data
IPv4 data
© Janice Regan, 2007-2012
27
Download